I have an java application that I have been developing. I use a external db server that I can't control. I want to simulate connection error to it, but I'm unable to do it. I have tried to use iptables and tc to create the situation, but after the java program is running it can create a query to the database. If I restart the application then the blocking succeeds. Is there something I don't understand?
1
- 1You should include the actual iptables rules you've written.goldilocks– goldilocks2015-06-10 14:50:39 +00:00Commented Jun 10, 2015 at 14:50
Add a comment |
1 Answer
The first thing you don't understand is that we can't debug your iptables rules if you don't show them to us.
That being said, I see a potential pitfall. But of course I don't know whether that is your problem.
It's likely that the Java application establishes a TCP connection to the database once and for all when it starts. If your firewall merely blocks connection establishment packets and lets packets through if they're part of an established TCP session (iptables -A -p tcp -m state --state ESTABLISHED,RELATED -j ALLOW), then your application will be able to continue communicating with the database. In order to block the communication, you need to either set up the firewall before starting the application, or block all TCP packets whose destination is the database port.
answered Jun 10, 2015 at 23:32
Gilles 'SO- stop being evil'
866k205 gold badges1.8k silver badges2.3k bronze badges
- Thanks for your answer. What I failed to mention in the first post was that I was using virtual machine. I was able to block the active connection from the host using ipfw (OS X). Also I wasn't aware of the fact that blocking established connections is quite hard!Tomi Savolainen– Tomi Savolainen2015-06-11 08:19:20 +00:00Commented Jun 11, 2015 at 8:19
- @TomiSavolainen Blocking already-established connections is not hard, it's in fact easier. But many common firewall setup examples show how to let all already-established connections through, so as to prevent only incoming connections and allow all outgoing connections.Gilles 'SO- stop being evil'– Gilles 'SO- stop being evil'2015-06-11 08:21:22 +00:00Commented Jun 11, 2015 at 8:21